HELP!!! Avira Found Malware on WRSA.exe

calix · Jul 26, 2011

My Avira Free AV detects malware on WRSA.EXE. What should I do? Right now Avira is asking me to move to quarantine the WRSA.EXE, do i need to click yes and apply? Please advice. TIA

http://k.min.us/jbX9Tq.jpg

Triple Helix · Jul 26, 2011

Report to Avira that it is a False Positive! But don't let Avira remove the WRSA.exe files!

HTH,

TH

delah · Jul 26, 2011

I have paid Prevx3 and that identified the beta as malware as well!
I reported it.

Triple Helix · Jul 26, 2011

delah said:

I have paid Prevx3 and that identified the beta as malware as well!
I reported it.
Click to expand...

How can that be possible you can't run Prevx 3 and WRSA at the same time? Or are you talking about the install file?

TH

calix · Jul 26, 2011

Thanks. I already submitted wrsa.exe to avira and its "Under Analysis".
Hope they can reply since Avira now is always asking me to remove wrsa.exe.

Triple Helix · Jul 26, 2011

calix said:

Thanks. I already submitted wrsa.exe to avira and its "Under Analysis".
Hope they can reply since Avira now is always asking me to remove wrsa.exe.
Click to expand...

This will always happen during the Beta testing some other AV will detect WRSA as malware!

See this post: https://www.wilderssecurity.com/showpost.php?p=1891425&postcount=67

TH

calix · Jul 26, 2011

Triple Helix said:

This will always happen during the Beta testing some other AV will detect WRSA as malware!

See this post: https://www.wilderssecurity.com/showpost.php?p=1891425&postcount=67

TH
Click to expand...

I forgot to tell you that there were 2 files detected by avira, aside from wrsa.exe it also detected WRusr.dll as malware.

Does WRusr.dll belongs to Webroot?

Triple Helix · Jul 26, 2011

calix said:

I forgot to tell you that there were 2 files detected by avira, aside from wrsa.exe it also detected WRusr.dll as malware.

Does WRusr.dll belongs to Webroot?
Click to expand...

Yes it does and FP also!

TH

calix · Jul 26, 2011

Triple Helix said:

Yes it does and FP also!

TH
Click to expand...

Thank you for your prompt reply.

anyhow, this is what avira site said about WRusr.dll

Thank you for your submission. Below you can see the current status of the uploaded files.

A listing of files alongside their results can be found below:
File ID Filename Size (Byte) Result
26234301 WRusr.dll 115.34 KB MALWARE

Please find a detailed report concerning each individual sample below:
Filename Result
WRusr.dll MALWARE

The file 'WRusr.dll' has been determined to be 'MALWARE'. Our analysts named the threat TR/Gendal.6274057. The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.11.12.86.
Click to expand...

Triple Helix · Jul 26, 2011

calix said:

Thank you for your prompt reply.

anyhow, this is what avira site said about WRusr.dll
Click to expand...

But it's still a FP and don't let Avira remove those files! PrevxHelp will give us more info!

TH

calix · Jul 26, 2011

Thanks again!

I emailed back Avira and explained to them that those 2 files belong to WebRoot Secure Anywhere Beta.

Triple Helix · Jul 26, 2011

calix said:

Thanks again!

I emailed back Avira and explained to them that those 2 files belong to WebRoot Secure Anywhere Beta.
Click to expand...

Your Welcome please let us know how it goes!

TH

calix · Jul 26, 2011

Update:

Avira just replied about my inquiry about wrsa.exe & wrusr.dll, and here is what they have to say...

Thank you for your recent inquiry.

We could not find a virus in the attachment you have sent us.
This is a false positive. We will take out the pattern recognition in one of our next updates.

====

The file 'WRSA.exe' has been determined to be 'FALSE POSITIVE'.In particular this means that this file is not malicious but a false alarm.Our analysts named the threat TR/Gendal.6274057.The term "TR/" denotes a trojan horse that is able to spy out data, to violate your privacy or carry out unwanted modifications to the system.Detection is added to our virus definition file (VDF) starting with version 7.11.12.86.Detection will be removed from our virus definition file (VDF) with one of the next updates.
Click to expand...

http://analysis.avira.com/samples/d...Ppjv821TrckZVA10srbDvfkhLgJ&incidentid=790770

Triple Helix · Jul 26, 2011

Great thank you!

TH

PrevxHelp · Jul 26, 2011

For what it's worth, the file "wrkrn.sys" is also a Webroot file

Thanks!

Triple Helix · Jul 26, 2011

PrevxHelp said:

For what it's worth, the file "wrkrn.sys" is also a Webroot file

Thanks!
Click to expand...

I can't find that file on Win 7 x64

TH

Matthijs5nl · Jul 26, 2011

Triple Helix said:

I can't find that file on Win 7 x64

TH

View attachment 228306
Click to expand...

It is the deep level driver (it also boots up in Safe Mode for example), should be in system32/drivers I guess.

Triple Helix · Jul 26, 2011

Matthijs5nl said:

It is the deep level driver (it also boots up in Safe Mode for example), should be in system32/drivers I guess.
Click to expand...

Thanks a simple search didn't find it but a search of System32 did!

TH

delah · Jul 26, 2011

Triple Helix said:

How can that be possible you can't run Prevx 3 and WRSA at the same time? Or are you talking about the install file?

TH
Click to expand...

I meant the install file.

PrevxHelp · Jul 26, 2011

Triple Helix said:

I can't find that file on Win 7 x64
Click to expand...

It will be under the actual C:\Windows\System32\Drivers\ folder - it is a native 64bit driver (you might be browsing under C:\Windows\Syswow64\drivers\ which is where 32bit applications would write).

Triple Helix · Jul 26, 2011

PrevxHelp said:

It will be under the actual C:\Windows\System32\Drivers\ folder - it is a native 64bit driver (you might be browsing under C:\Windows\Syswow64\drivers\ which is where 32bit applications would write).
Click to expand...

Triple Helix said:

Thanks a simple search didn't find it but a search of System32 did!

TH
Click to expand...

I have found it thanks Joe!

Daniel

Log in or Sign up

HELP!!! Avira Found Malware on WRSA.exe

calix Registered Member

Attached Files:

wrsa.jpg

Triple Helix Specialist

delah Registered Member

Triple Helix Specialist

calix Registered Member

Triple Helix Specialist

calix Registered Member

Triple Helix Specialist

calix Registered Member

Triple Helix Specialist

calix Registered Member

Triple Helix Specialist

calix Registered Member

Triple Helix Specialist

PrevxHelp Former Prevx Moderator

Triple Helix Specialist

Matthijs5nl Guest

Triple Helix Specialist

delah Registered Member

PrevxHelp Former Prevx Moderator

Triple Helix Specialist

Log in or Sign up

HELP!!! Avira Found Malware on WRSA.exe

calix Registered Member

Attached Files:

wrsa.jpg

Triple Helix Specialist

delah Registered Member

Triple Helix Specialist

calix Registered Member

Triple Helix Specialist

calix Registered Member

Triple Helix Specialist

calix Registered Member

Triple Helix Specialist

calix Registered Member

Triple Helix Specialist

calix Registered Member

Triple Helix Specialist

PrevxHelp Former Prevx Moderator

Triple Helix Specialist

Matthijs5nl Guest

Triple Helix Specialist

delah Registered Member

PrevxHelp Former Prevx Moderator

Triple Helix Specialist

Useful Searches